So straight to the problem, the relaxed user comes back off holiday and typically has forgotten their password. They cannot logon to there hybrid laptop and due to the lack of an always-on-VPN will now need to drive into the office so they can connect to the network and cache a new password which has been set from them.
The user could logon locally with an emergency account and a unique password, An analyst could then assist them with the built in Windows 10 Quick Assist application and enable the required VPN in a different session. This is not a very elegant solution and would need a way to centrally manage that password and audit it's use.
An additional thought, perhaps a Cisco AnyConnect VPN Management Tunnel on the ASA might give the PC access to the DC pre-logon so if the password was reset in AD then the users PC would cache that and permit them to logon, just a thought.
An alternative might be the Start Before Logon (SBL) feature which starts a VPN connection before the user logs in to Windows. This ensures that users connect to their corporate infrastructure before logging on to their computers. On Windows, the Pre-Login Access Provider (PLAP) is used to implement AnyConnect SBL.
With PLAP, the Ctrl+Alt+Del key combination opens a window where the user can choose either to log in to the system or activate Network Connections (PLAP components) using the Network Connect button in the lower-right corner of the window.
This permits the user to connect into the Active Directory infrastructure by being able to communicate with the domain controller.
I'm sure someone else has come across this especially now we have more home workers, ideas here please, anything greatly appreciated.